There are a large number of instances where it would be desirable to provide an improved method for a user to authenticate an action. Currently there is a potential security problem in any system which requires a user to log in to a web server by providing a user name and password. Such systems rely on the password being something that the user alone knows. However, the password can be compromised, for example, by so-called “phishing” where a user is tricked into providing their password to a party that is not entitled to the password by getting the user to visit a bogus website and enter their name and password.
It has recently become more popular to employ “2-factor” security techniques which rely on their being something that the user alone has in their possession as well as something the user alone knows. A typical device which is used in such systems is a token that generates a unique code every 60 seconds thereby creating what is in effect a new secondary password every 60 seconds. To defeat such a security measure the person must either obtain the person's password and their security device or learn the secondary password during the very short period of time where it is valid. Accordingly, such devices provide a higher level of security.
A first problem with such devices is that if the person does not carry out all transactions from the same location they must carry the token with them which can be inconvenient. Further, the tokens are typically configured so that they can only act as a secondary password to one additional system. Thirdly, if the user does not use the device regularly, they can readily misplace the token. Fourthly, the tokens can be difficult to distribute. Fifthly, as specific hardware has to be provided for the secondary password, the cost of such tokens is relatively high and accordingly is only attractive to employ them in relation to high security risk transactions or when the potential damage that may be suffered is high.
WO 03/063411 proposes a system which produces an SMS message containing a limited-duration, one-time password and sends it to a user's mobile terminal. A modified Subscriber Identification Module (SIM) is used to store an asymmetric key application and associated software. The user activates the program, enters a personal code to decrypt the user's private key which thus authorises the mobile terminal to decode the SMS using the user's private key. A problem with this system is that it relies on the distribution of specific hardware to the user. Further, as the keys are on the SIM, distribution is dependent on the telecommunications provider. Still further, the one-time password will not contain any data that indicates that it has been decoded by the user i.e.—the one-time password is independent of the user.
It would be desirable to provide a more convenient method of authenticating an action.